Nginx + Certbot • universal HTTP challenge solution

Update your server configuration with Certbot / Letscrypt snippets for your Nginx server. Automate SSL certificate challenges by including simple snippets.


Wojtek Andrzejczak
Nginx + Certbot • universal HTTP challenge...

Update your server configuration with Certbot / Letscrypt snippets for your Nginx server. Automate SSL certificate challenges by including simple snippets.

Nginx Letsencrypt snippet

If you are using CentOS or AWS Amazon Linux, you can create the file under /etc/nginx/snippets/letsencrypt-acme-challenge.conf

What this snippet does, it checks if current URI navigation pattern matches /.well-known/acme-challenge/ and maps root directory to /var/www/letsencrypt the folder which we have previously created.

#############################################################################
# Configuration file for Let's Encrypt ACME Challenge location
# This file is already included in listen_xxx.conf files.
# Do NOT include it separately!
#############################################################################
#
# This config enables to access /.well-known/acme-challenge/xxxxxxxxxxx
# on all our sites (HTTP), including all subdomains.
# This is required by ACME Challenge (webroot authentication).
# You can check that this location is working by placing ping.txt here:
# /var/www/letsencrypt/.well-known/acme-challenge/ping.txt
# And pointing your browser to:
# http://xxx.domain.tld/.well-known/acme-challenge/ping.txt
#
# Sources:
# https://community.letsencrypt.org/t/howto-easy-cert-generation-and-renewal-with-nginx/3491
#
#############################################################################

# Rule for legitimate ACME Challenge requests (like /.well-known/acme-challenge/xxxxxxxxx)
# We use ^~ here, so that we don't check other regexes (for speed-up). We actually MUST cancel
# other regex checks, because in our other config files have regex rule that denies access to files with dotted names.
location ^~ /.well-known/acme-challenge/ {

    # Set correct content type. According to this:
    # https://community.letsencrypt.org/t/using-the-webroot-domain-verification-method/1445/29
    # Current specification requires "text/plain" or no content header at all.
    # It seems that "text/plain" is a safe option.
    default_type "text/plain";

    # This directory must be the same as in /etc/letsencrypt/cli.ini
    # as "webroot-path" parameter. Also don't forget to set "authenticator" parameter
    # there to "webroot".
    # Do NOT use alias, use root! Target directory is located here:
    # /var/www/common/letsencrypt/.well-known/acme-challenge/
    root         /var/www/letsencrypt;
}

# Hide /acme-challenge subdirectory and return 404 on all requests.
# It is somewhat more secure than letting Nginx return 403.
# Ending slash is important!
location = /.well-known/acme-challenge/ {
    return 404;
}

Nginx config file

Inside of the Nginx config file under, we add snippet for all port 80 requests to handle our Letscrypt / Certbot challenge.

http {
    # other stuff

    # our code
    server {
        listen 80;
        listen [::]:80;

        charset utf-8;
       
        # our snippet
        include snippets/letsencrypt-acme-challenge.conf;
    }
}

Nginx virtual host

Now for any virtual host we are using, we can insert our snippet include file. If we are running first-time creation for our domain, SSL might require to comment out include lines that try to load SSL certificate, which is not yet created. So Nginx, reload operation might fail.

server {
    listen 443 ssl http2;
    server_name wojtek.ch www.wojtek.ch;
     
    #our snippet
    include snippets/letsencrypt-acme-challenge.conf;

    # our SSL config
    include snippets/wojtek.ch/ssl.conf;
    include snippets/wojtek.ch/ssl-params.conf;


    # other config for your virtual host website
}

Generate Certbot SSL certificate

Now we can check our setup by running test, dry-run mode. You need to be careful because there is a limit of fail challenge request (5 per hour). So you want to be sure that everything goes smoothly 🙂

certbot certonly --webroot -d wojtek.ch -d www.wojtek.ch --dry-run

After executing the command, we’ll be asked to provide webroot directory which in our case is /var/www/letsencrypt

Useful links

Subscribe to receive updates about new articles.

Show Comments (0)

Comments

Related Articles

Troubleshooting

HTTP Cache-Control • what should you know

Caching resources of our application or website is very important. We want to deliver content to the user in the shortest possible time.

Posted on by Wojtek Andrzejczak